US Sharing Classified Information With Firms to Prevent Hack Attacks

The U.S. intelligence community is using classified information to protect a wider range of companies than ever before thanks to a new effort by the Department of Homeland Security.

Under the new initiative, dubbed "Enhanced Cybersecurity Services," or ECS, the Department of Homeland Security is releasing cyberthreat information developed by the super-secret National Security Agency, the FBI and others to participating American "Commercial Service Providers" in the telecommunications business. Those companies, which the government said include the telecom carriers AT&T and CenturyLink, are in turn eligible to use that classified information to develop and sell a package of higher security protection to qualified companies that the government deems to be part of the nation's critical infrastructure.

The initiative comes in the wake of the executive order by President Barack Obama designed in part to encourage such information sharing between the intelligence and corporate worlds and a new rhetorical aggressiveness against state-sponsored hacking by China.

On Monday, White House National Security Advisor Tom Donilon called on China to put a stop to the hacking. "From the president on down, this has become a key point of concern and discussion with China at all levels of our governments," Donilon told a New York meeting of the Asia Society. "The United States will do all it must to protect our national networks, critical infrastructure, and our valuable public and private-sector property."

The new program would appear to be a part of that effort. A spokesman for the Department of Homeland Security told CNBC that the "information provided through ECS is generally unavailable today to private-sector entities, and will help the private sector to develop innovative and efficient solutions to mitigate or prevent those risks."

One former high-ranking U.S. intelligence official categorized the ECS program as a work-in-progress. "They have at least two carriers working on it now. For this to be effective, I think they need at least five," the official said. "This is all being worked out, and there's a lot of bureaucratic wrangling going on."

The government stresses that the program, which began in February, is voluntary and that the Department of Homeland Security "embeds and enforces" privacy protections and transparency in this program and others.

James Lauritz | Digital Vision | Getty Images

Nonetheless, the effort represents a sweeping new application of classified information in the private sector, and sources say it has caused some concern among private firms that it could lead to other, mandatory efforts to police private U.S. corporate intellectual property and communications.

AT&T declined to comment for this article. CenturyLink confirmed its participation in the plan, but referred questions about it to the government.

The role of the telecommunications carriers is a hybrid of public and private cooperation. In return for participating in the program, the carriers get access to classified information they can use to build a potentially profitable business. "They're not doing this pro bono," said Michael Brown, a retired Navy rear admiral who is now an executive at the computer security firm RSA. "In a year, I would expect a very heavy demand signal from the private sector."

The program is built on an earlier effort to use similar tactics to protect U.S. defense contractors from cyberintrusions. Companies that want access to the higher level of cyberprotection must qualify through a two-step process. First, the government must determine that the company is part of U.S. critical infrastructure and the firm must be vetted for threats to U.S. national security or operational security.

Still, a government official said that the new program will be potentially open to hundreds—if not thousands—of companies.

The model for the new program is a Department of Defense initiative that began in May of 2012 to protect companies in the defense industrial base. A department spokesman said that 17 companies volunteered to provide time, resources and manpower in a pilot program that began in 2010.

The pilot program was not an unmitigated success. "At the end of the operational pilot, one of the commercial service providers withdrew," the defense spokesman said in an email to CNBC. "During the operational testing of the pilot, five of the 17 [defense industrial base] companies chose to withdraw and reallocate their resources to other corporate priorities."